Act now to avoid unnecessary exposure to information security risk
Transitioning your ISMS for the new edition of ISO/IEC 27001
With the publication of ISO/IEC 27002:2022, an amendment to ISO/IEC 27001 is expected soon, which will update the content of Annex A to align the controls with those in the new edition of ISO/IEC 27002. For continued conformity with ISO/IEC 27001, organisations will then be obliged to recompare their necessary controls with those in the new Annex A and amend their ISMS, including their Statements of Applicability (SOA) as appropriate. As this change impacts on conformity assessment, the IAFInternational Accreditation Forum will issue a transition statement at about the same time. It is anticipated that organisations will have two years to make the change.
The new control set in ISO/IEC 27001 Annex A does not constitute a new set of control requirements. Nevertheless, changes will be required if, following recomparison, you discover any necessary control omissions, and need to justify any further Annex A exclusions.
The first step is to assess the impact of the changes on your ISMS. The most likely outcome is that your will need to rework your risk assessment and risk treatment processes, implement new controls and update your SOA.
When is the best time to do this?
The new edition of ISO/IEC 27001 is not expected until April-June 2022 and the transition period will not start until then. This implies that you have until mid-2024 to make any necessary changes. However, the risk is not a certification risk, it is an information security risk. If recomparison with the new control set discovers any omitted necessary controls, not implementing them now could mean that you are running unnecessary information security risks. ISO/IEC 27002 is available now, so you know what will be in the new Annex A. It is therefore prudent to carry out your impact assessment now.
What should I do now?
How can IMS-Smart help?
As part of our provision of expert ISMS consultancy, IMS-Smart can:
We have assisted many organisations to develop their ISMS and have provided training in the UK, Norway, Latvia, Germany, Switzerland, Saudi Arabia, Kuwait, Qatar, Mauritius, India, South Korea and Singapore.
How can I find out more and obtain a quotation?
Please use our enquiry facility or send us an email to start a conversation. We can continue by telephone or video conferencing. Once we understand your requirements, we will be pleased to prepare a quotation and submit it for your consideration. Hopefully, you will find that it is competitive, and offers quality and value for money.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2022|
|Page last updated: February 4, 2022|